On Tue, Jul 03, 2001 at 05:53:04PM +0200, Oskar Sandberg wrote:
> - A system like the current one would be disastorous. Nothing truly
> stops anyone from simply inserting whatever addresses they want, and it
> would be completely trivial to keep it nearly saturated with fake
> address leading to nodes that simply MITM (man in the middle) proxies.
> It is only a matter of time before such a system is attacked.
Nothing here that I don't point out in my original post on the
subject...
> - The model of having us try to be everybody's trusted peer is not a lot
> better. All our conjectures about the safety of our model are based on
> the absense of centralized points in the network - any single node is
> too easy to manipulate. Ian believes that the issues produced can be
> solved by "modifications", but those modifications are wack-a-mole for
> each attack that is brought up - the fact remains that the entire threat
> model has to go out the window if we design around a central element.
So we can either wring our hands and gripe about the difficulty of
creating a better public trusted seed node, or actually start thinking
about how to build one. I have started by suggesting that local
announcement messages not be cached. Perhaps, Oskar, your time might be
well spent thinking about a new threat model for a public trusted seed
node. Or perhaps we need a ground-up implementation rather than
starting with an existing node and modifying it. Either way, if the
choice is between losing 99.9% of our user base, and solving this
problem, I choose the latter.
> Add to that the dubious topological effects of such a presence and you
> have yourself a big headache.
This is a separate issue, the announcement protocol is designed to
counter such an effect. The current network topology survived the much
more blunt instrument of inform.php.
> Everybody agrees that the right thing for users to do is to try to get
> initial references from peers that are trusted through external
> channels. Ian says that, whatever we do, people are not going to be
> vigilent in this process anyways, and that they are better off turning
> to us then whoever will run a centralized element if we do not. My point
> however is this: if we put in code to automatically contact a
> centralized element in our node, then we can spend the rest of lives on
> Mount Sinai chopping the reasons why it is bad in the slabs of rock, and
> we will still have condoned, encouraged and supported it.
For someone who supports freedom of information, your view that people
must be denied functionality that *might* hurt them, even when they are
made aware that this could be the case, is peculiar to say the least.
If we cannot believe that people are smart enough to understand what we
mean when we say "If you want to avoid the danger of joining a
compromised network, you should obtain a node address from someone you
trust, however if you are willing to take the risk you may trust node
XXX", then they probably aren't smart enough to judge what information
is "good" and "bad" for themselves either, and thus we are working for
nothing.
Ian.
PGP signature
